Conversation

Notices

1. Embed this notice
   Damien Miller (djm@cybervillains.com)'s status on Monday, 01-Apr-2024 10:04:44 JST Damien Miller

   Here's my 2c on the xz incident.

   This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better.

   1/n

   • gidi likes this.
   • Embed this notice
     Damien Miller (djm@cybervillains.com)'s status on Monday, 01-Apr-2024 11:54:13 JST Damien Miller

     in reply to

     One factor in this incident was deep, unexpected dependency chains. I wish distributions would start taking a more minimalist approach to the options they enable in the default packages they ship.

     What fraction of the sshd userbase actually needs Kerberos or SELinux (which also depends on liblzma) enabled? Put that stuff in an alternate package and reduce the exposure for the rest of your users. Fewer dependencies means less attack surface and less supply-chain risk

     2/n

   • Embed this notice
     Damien Miller (djm@cybervillains.com)'s status on Monday, 01-Apr-2024 11:54:13 JST Damien Miller

     in reply to

     Few of the mooted software-supply chain defences would have prevented this, as the attacker was a (relatively) long-term maintainer, was not averse to using sockpuppet accounts and was careful to hide their exploit from automated tools.

     Worse, many of the solutions being offered increase the workload on maintainers. But maintainer burnout was a key factor in this incident. We need to find a way to support maintainers while being proscriptive or parentalistic.

     3/n

     Haelwenn /элвэн/ :triskell: likes this.